Information recording medium, information processing device, information storage medium production apparatus, method, and computer program

ABSTRACT

The present invention provides an information storage medium and a method and apparatus for processing information, which manage information storage media so as to prevent unauthorized copies of contents from being distributed or used. On an information storage medium on which an encrypted content is stored, an information storage medium ID which is an identifier uniquely assigned to an information storage medium, and an information storage medium ID revocation list, which is a list of information storage medium IDs determined as invalid, are further stored. In an information processing apparatus configured to read and play back the content stored on the information storage medium, playback of the content is allowed only when the information storage medium ID stored on the information storage medium is not identical to any of revoked information storage medium IDs described in the information storage medium ID revocation list. This prevents an unauthorized copy of a content from being distributed or used.

TECHNICAL FIELD

The present invention relates to an information storage medium, aninformation processing apparatus, an information storage mediumproduction apparatus, a method, and a computer program. Morespecifically, the present invention relates to an information storagemedium, an information processing apparatus, an information storagemedium production apparatus, a method, and a computer program, thatprevent a CD-R disk or the like on which an unauthorized copy of acontent is stored from being distributed or used, by storing a storagemedium identifier on a content storage medium such as a CD, a DVD, or anMD and controlling use of contents, based on a revocation list that is alist of unauthorized storage media.

BACKGROUND ART

It is now very popular to distribute various kinds of software data, forexample, audio data such music data, image data such as movie data, gameprograms, and application programs, via a network such as the Internetor via an information storage medium such as a CD (Compact Disc) or aDVD (Digital Versatile Disk). These distributed contents are played backand used on a PC (Personal Computer) of a user, a playback apparatussuch as a CD player, a DVD player, or an MD player, or a game machine.

In general, the right of distribution of software contents such as musicdata or image data is held by producers or sellers of the softwarecontents. Software contents are generally distributed under specificusage limitation to secure that only authorized users can use softwarecontents and that unauthorized copies thereof cannot be made.

In recent years, it has become popular to digitally store information ona storage medium using a recording apparatus. Digital storage on astorage medium using a digital recording apparatus allows it torepeatedly store and play back image data or audio data without causingdegradation. That is, it is possible to make copies of digital data manytimes without causing degradation in image quality or sound quality.However, this has brought about a problem that a large number ofunauthorized disks, such as CD-R on which unauthorized copies ofcontents are stored, are illegally distributed.

Such illegal distributions of unauthorized storage media in marketscause losses of profits of owners of copyrights or distribution rightsof contents such as music or movie contents.

DISCLOSURE OF INVENTION

In view of the above problems, it is an object of the present inventionto provide an information storage medium, an information processingapparatus, an information storage medium production apparatus, a method,and a computer program, which disable playback or use of an unauthorizedcopy of content stored on a storage medium.

More specifically, it is an object of the present invention to providean information storage medium, an information processing apparatus, aninformation storage medium production apparatus, a method, and acomputer program, which disable playback or use of an unauthorized copyof content stored on a storage medium, by storing a storage mediumidentifier on a content storage medium such as a CD, a DVD, or an MD andcontrolling use of a content illegally copied on another informationstorage medium such as a CD-R, based on a revocation list that is a listof unauthorized storage media.

In a first aspect, the present invention provides an information storagemedium storing thereon an encrypted content,

encryption key information needed in a process of decoding the encryptedcontent,

an information storage medium ID which is an identifier uniquelyassigned to the information storage medium, and

an information storage medium ID revocation list which is a list ofinformation storage medium IDs determined as fraudulent.

In an embodiment of the information storage medium according to thepresent invention, the information storage medium ID revocation listincludes a tampering check value for checking whether data described inthe information storage medium ID revocation list is untamperred.

In an embodiment of the information storage medium according to thepresent invention, the encryption key information includes an enablingkey block (EKB) as encryption key data from which a key used to decryptthe encrypted content is extractable.

In an embodiment of the information storage medium according to thepresent invention, the enabling key block (EKB) is encryption keyinformation that can be decrypted based on a device node key (DNK)provided in the form of a hierarchical key-distribution tree structureto an information processing apparatus that is a device using theinformation storage medium.

In a second aspect, the present invention provides an informationprocessing apparatus for playing back a content stored on an informationstorage medium, including

a memory in which an information storage medium ID revocation list,which is a list of information storage medium IDs determined asfraudulent, is stored,

wherein a check is made as to whether an information storage medium IDstored on the information storage medium is identical to one of revokedinformation storage medium IDs described in the storage mediuminformation ID revocation list stored in the memory, and, if theinformation storage medium ID stored on the information storage mediumis not identical to any one of the revoked information storage mediumIDs described in the information storage medium ID revocation list, acontent playback process is performed.

In an embodiment of the information processing apparatus according tothe present invention, a tampering check process is performed to checkwhether no tampering is made on the information storage medium IDrevocation list stored on the information storage medium, and, if thecheck indicates that no tampering is made, the version of theinformation storage medium ID revocation list stored on the informationstorage medium is compared with the version of that stored in thememory, and the information storage medium ID revocation list stored inthe memory is updated by storing the information storage medium IDrevocation list stored on the information storage medium into the memorywhen the version of the information storage medium ID revocation list isnewer than the version of that stored in the memory.

In an embodiment of the information processing apparatus according tothe present invention, the information processing apparatus has a devicenode key (DNK) as key information provided in the form of a hierarchicalkey-distribution tree structure, and a key used to decrypt an encryptedcontent stored on the information storage medium is extracted bydecoding, based on the device node key (DNK), an enabling key block(EKB) stored as encryption key information on the information storagemedium.

In a third aspect, the present invention provides an information storagemedium production apparatus that produces an information storage mediumsuch that

information is stored on the information storage medium, the informationincluding

an encrypted content,

encryption key information needed in a process of decoding the encryptedcontent, and

an information storage medium ID revocation list which is a list ofinformation storage medium IDs determined as fraudulent, and

an information storage medium ID, which is an identifier uniquelyassigned to each information storage medium, is stored on each producedinformation storage medium such that each information storage medium hasa different information storage medium ID.

In an embodiment of the information storage medium production apparatusaccording to the present invention, the information storage medium IDrevocation list includes a tampering check value for checking whetherdata described in the information storage medium ID revocation list isuntamperred.

In an embodiment of the information storage medium production apparatusaccording to the present invention, the encryption key informationincludes an enabling key block (EKB) as encryption key data to beapplied in the decryption of the encrypted content.

In a fourth aspect, the present invention provides an informationprocessing method of playing back a content stored on an informationstorage medium, including the steps of

reading information storage medium ID stored on the information storagemedium,

checking whether the information storage medium ID stored on theinformation storage medium is identical to one of revoked informationstorage medium IDs described in a storage medium information IDrevocation list, which is a list of invalid information storage mediumIDs and which is stored in a memory of an information processingapparatus, and

playing back the content if and only if the information storage mediumID stored on the information storage medium is not identical to any oneof the revoked information storage medium IDs described in theinformation storage medium ID revocation list.

In an embodiment of the information processing method according to thepresent invention, the method further including the step of updating thelist, the list updating step including the sub-steps of performing atampering check process to check whether no tampering is made on theinformation storage medium ID revocation list stored on the informationstorage medium, if the check indicates that no tampering is made,comparing the version of the information storage medium ID revocationlist stored on the information storage medium with the version of thatstored in the memory, and updating the information storage medium IDrevocation list stored in the memory by storing the information storagemedium ID revocation list stored on the information storage medium intothe memory when the version of the information storage medium IDrevocation list is newer than the version of that stored in the memory.

In an embodiment of the information processing method according to thepresent invention, the method further including the step of acquiring akey used to decode an encrypted content stored on the informationstorage medium by decoding an enabling key block (EKB) stored asencryption key information on the information storage medium, thedecoding of the enabling key block (EKB) being based on a device nodekey (DNK) provided as key information provided in the form of ahierarchical key-distribution tree structure.

In a fifth aspect, the present invention provides a method of producingan information storage medium, including the step of

storing, on the information storage medium, an encrypted content,encryption key information needed in a process of decoding the encryptedcontent, and an information storage medium ID revocation list which is alist of information storage medium IDs determined as fraudulent, and

storing an information storage medium ID, which is an identifieruniquely assigned to each information storage medium, on each producedinformation storage medium such that each information storage medium hasa different information storage medium ID.

In a sixth aspect, the present invention provides a computer programthat executes a process of playing back a content stored on aninformation storage medium, the process including the steps of

reading information storage medium ID stored on the information storagemedium;

checking whether the information storage medium ID stored on theinformation storage medium is identical to one of revoked informationstorage medium IDs described in a storage medium information IDrevocation list, which is a list of invalid information storage mediumIDs and which is stored in a memory of an information processingapparatus, and

playing back the content if and only if the information storage mediumID stored on the information storage medium is not identical to any oneof the revoked information storage medium IDs described in theinformation storage medium ID revocation list.

According to the present invention, as described above, an encryptedcontent, encryption key information needed to decode the encryptedcontent, an information storage medium ID which is an identifieruniquely assigned to an information storage medium, and an informationstorage medium ID revocation list, which is a list of informationstorage medium IDs determined as fraudulent, are stored on theinformation storage medium. In the information processing apparatusconfigured to read and play back the content stored on the informationstorage medium, playback of the content is allowed only when theinformation storage medium ID stored on the information storage mediumis not identical to any of revoked information storage medium IDsdescribed in the information storage medium ID revocation list. Bydescribing information storage medium IDs stored on storage mediadetected as including unauthorized copies of contents in the informationstorage medium ID revocation list, it is possible to prevent a diskhaving an ID identical to any one of IDs described in the list frombeing played back, and thus it is possible to prevent an unauthorizedcopy of a content from being distributed and used.

In the information processing apparatus according to the presentinvention, a tampering check process is performed to check whether notampering is made on the information storage medium ID revocation liststored on the information storage medium. If the check indicates that notampering is made, the version of the information storage medium IDrevocation list stored on the information storage medium is comparedwith the version of that stored in the memory. If the version of theinformation storage medium ID revocation list is newer than the versionof that stored in the memory, the information storage medium IDrevocation list stored in the memory is updated by storing theinformation storage medium ID revocation list stored on the informationstorage medium into the memory. This makes it possible to control thecontent playback operation in accordance with the list that is updatedwhen a newer version is found.

The computer program according to the present invention may be provided,in a computer-readable form, to a general-purpose computer system thatcan execute various program codes, via a storage medium such as a CD, anFD, or an MO or via a communication medium such as a network. Byproviding the computer program in a computer-readable form to thecomputer system, it becomes possible to execute a process on thecomputer system according to the computer program.

These and other objects and features of the present invention willbecome more apparent from the following detailed description ofembodiments with reference to the accompanying drawings. In the presentdescription, the term “system” is used to describe a logical collectionof a plurality of devices, and it is not necessarily required that theplurality of devices be disposed in a single case.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating data stored on an information storagemedium.

FIG. 2 is a diagram illustrating a data format of an information storagemedium (disk) ID revocation list (DIRL) stored on an information storagemedium.

FIG. 3 is a diagram showing an example of an MAC value generationprocess.

FIG. 4 is a tree structure diagram illustrating various keys, a dataencryption process, and a distribution process.

FIG. 5 shows examples of various keys and enabling key blocks (EKB's)used in distribution of data.

FIG. 6 is a diagram showing an example of a manner in which a contentkey is distributed using an enabling key block (EKB) and an example of amanner in which the enabling key block (EKB) is decoded.

FIG. 7 is a diagram showing an example of a format of an enabling keyblock (EKB).

FIG. 8 is a diagram illustrating a tag structure of an enabling keyblock (EKB).

FIG. 9 is a diagram showing a manner in which categories are definedusing a tree structure.

FIG. 10 is a diagram showing a manner in which categories are definedusing a tree structure.

FIG. 11 is a block diagram showing a structure of an informationprocessing apparatus.

FIG. 12 is a flow chart showing a process performed by an informationprocessing apparatus.

FIG. 13 is a flow chart showing a revocation checking process performedby an information processing apparatus.

FIG. 14 is a flow chart showing a content playback process performed byan information processing apparatus.

FIG. 15 is a diagram showing a manner in which information processingmedia are produced and a manner in which the production of informationprocessing media is controlled.

FIG. 16 is a diagram showing an example of a structure of an apparatusfor producing an information storage medium.

FIG. 17 is a flow chart showing a process of producing an informationstorage medium.

BEST MODE FOR CARRYING OUT THE INVENTION

An information storage medium, an information processing apparatus, amethod, and a computer program according to the present invention aredescribed in detail below.

[1. Information Storage Medium]

First, referring to FIG. 1 and other figures, an example of a format inwhich data is stored on an information storage medium according to thepresent invention is described. FIG. 1 shows data stored on aninformation storage media 100, such as a CD (Compact Disc), a DVD(Digital Versatile Disk), an MD (Mini Disk), or a flash memory. Althoughin the example shown in FIG. 1, the information storage media 100 is ofa disk form, the present invention is not limited to the disk-typeinformation storage medium, but the present invention may also beapplied to other types of information storage media, such as a flashmemory.

Information shown in FIG. 1 is stored on the information storage medium100. A disk ID 101 is an identifier uniquely assigned to the disk, andthe disk ID 101 is stored in a form that does not allow the disk ID 101to be easily deleted or rewritten. The identifier of the informationstorage medium is referred to as a disk ID, because it is assumed in theembodiments described below that the information storage medium is ofthe disk type and is used to store contents. When another type ofinformation storage medium such as a flash memory is used as theinformation storage medium for storing a content, an information storagemedium ID corresponding to the disk ID is assigned and stored therein.

A content is stored in the form of an encrypted content 102. A contentkey necessary to decrypt the encrypted content 102 can be acquired bydecrypting an enabling key block (EKB) 103, which is encryption keyinformation stored on the information storage medium 100, based on adevice node key (DNK) provided in the form of a hierarchical keystructure to an information processing apparatus authorized to use thecontent.

The manner of providing the device node key (DNK) in the hierarchicalkey structure, and the process of acquiring the enabling key block (EKB)based on the device node key (DNK) will be described in detail later.

A disk ID revocation list (DIRL) 104 is also stored on the informationstorage medium 100. The disk ID revocation list (DIRL) 104 is a list ofdisks that have been determined to be fraudulent. For example, when aCD-R including an unauthorized copy of the content stored thereon isfound, the disk ID copied together with the content on the unauthorizedCD-R is extracted. The disk ID revocation list (DIRL) 104 is acollection of such revoked disk IDs. The production, management, andproviding to disk manufacturers, of the disk ID revocation list (DIRL)104 are performed by a particular high-reliability central authority(CA).

A data format of the disk ID revocation list (DIRL) is described belowwith reference to FIG. 2. As shown in FIG. 2, the disk ID revocationlist (DIRL) 150 includes a version number 151 which is monotonicallyincreased depending on the date/time when the disk ID revocation list(DIRL) was produced, a revoked disk ID list 152 which is a list ofrevoked disk IDs, and an authentication code used as a tampering checkvalue 153 defined for the version number 151 and the revoked disk IDlist 152. The tampering check value 153 is data used to check whether notampering has been performed on particular data to be checked, that is,the version number 151 and the revoked disk ID list 152 in this case. Asfor the tampering check value 153, a digital signature using a publickey encryption technique or a message authorization code (MAC) using acommon key encryption technique may be employed.

In the case in which a digital signature using the public key encryptiontechnique is employed as the tampering check value 153, each a playbackapparatus acquires a signature verification key (public key) from areliable institution such as the above-mentioned central authority (CA),and the playback apparatus determines whether no tampering has been madeon the version number 151 and the revoked disk ID list 152, by verifyingthe signature, which has been produced by the central authority (CA)using the signature production key (secret key), based on the acquiredsignature verification key (public key).

When the message authentication code (MAC) is employed as the tamperingcheck value 153, the MAC and produced and verified as described belowwith reference to FIG. 3. The message authentication code (MAC) isproduced as data by which to check whether no tampering has been made onthe data. The MAC value can be produced and verified in various manners.FIG. 3 shows an example of a manner in which the MAC value is producedusing a DES encryption process.

As shown in FIG. 3, a message to be checked, that is, the version number151 and the revoked disk ID list 152 shown in FIG. 2 in this specificcase, is divided into units of 8 bytes (hereinafter, respective dividedunits of the message will be denoted by M1, M2, . . . , MN). Thereafter,first, the exclusive OR of an initial value (IV) and M1 is calculated(and the result is denoted as I1). I1 is then applied to a DESencryption unit, which encrypts the applied I1 using a key (hereafterdenoted as K1) (the result is output as E1). Subsequently, the exclusiveOR of E1 and M2 is calculated, and the result is output as I2 to a DESencryption unit. The DES encryption unit encrypts I2 using the key K1(and the result is output as E2). The above-described process isperformed repeatedly until encryption is completed for all of M1, M2, .. . , MN of the message. Thus, finally, EN is output as a messageauthentication code (MAC).

The MAC value depends on the original data (message), and thus it ispossible to check whether tampering has been made on the data (message)by comparing the stored MAC of interest with the MAC re-calculated basedon the data (message) to be checked. If the comparison indicates thatthere is no difference in terms of the MAC value, it is determined thatno tampering has been made on the data (message) of interest.

As for the key K1 used in production of the MAC value, for example, itis possible to use a key (root key) obtained by decrypting an enablingkey block (EKB) based on a device node key (DNK) given in the form of ahierarchical key structure. As for the initial value IV, it is possibleto use a predetermined value.

[2. Hierarchical Key Structure for Use in Distribution of Keys]

A process of providing a key in the form of a hierarchical treestructure based on a broadcast encryption scheme, and a manner in whichacquisition of the key by an information processing apparatus used as aplayback is controlled apparatus are described below.

In FIG. 4, numerals 0 to 15 at the bottom denote information processingapparatus serving as user devices by which to use contents. Morespecifically, leaves of a hierarchical tree structure correspond torespective devices.

When the devices 0 to 15 are produced or shipped, or after the devices 0to 15 are shipped, a key set (device node key (DNK)) is stored in amemory of each device. The key set includes a leaf key assigned to aleaf corresponding to each device and also includes node keys assignedto respective nodes existing on a path from the leaf to a root of thehierarchical tree structure shown in FIG. 4. In FIG. 4, K0000 to K1111at the bottom level denote leaf keys assigned to the respective devices0 to 15, and KR (root key) to K111 at levels from the top to the secondlevel as counted from the bottom denote node keys.

In the tree structure shown in FIG. 4, for example, the device 0 has aleaf key K0000 and node keys K000, K00, K0, and KR. Similarly, a device5 has K0101, K010, K01, K0, and KR, and a device 15 has K1111, K111, K11K1, and KR. Although in the specific example shown in FIG. 4, the treeincludes only sixteen devices 0 to 15 and the tree has a symmetricfour-level structure, the tree may include a greater number of devicesand may have a different number of levels other than 4.

Each device in the tree structure shown in FIG. 4 may be of varioustypes which may use various types of storage media such as a storagedevice fixedly disposed in a device or a removable storage medium suchas a DVD, a CD, an MD, or a flash memory. Furthermore, various types ofapplication services may be provided via this tree structure. That is,the hierarchal tree structure for use in distribution of contents orcontent keys, such as that shown in FIG. 4, is formed so as to adapt tosuch various types of devices and various types of applications.

In a system including such various types of devices and various types ofapplications, parts thereof are properly grouped. For example, in FIG.4, a part enclosed by a dotted line is set as one group includingdevices 0, 1, 2, and 3, which use the same type of storage medium. Forthe devices included in this group enclosed by the dotted line, a commoncontent in an encrypted form and/or a content key that can be used byall devices in the group may be transmitted to these devices from aprovider via a network or may be provided via an information storagemedium such as a CD. Each device in the group transmits content paymentdata in an encrypted form to the provider or a settlement institution.When an entity such as a content provider, a license serer, or a shopserver transmits data to devices, it is possible to transmit data at thesame time to all devices 0, 1, 2, and 3 in the group enclosed by thedotted line in FIG. 4. The tree shown in FIG. 4 may include a pluralityof such groups.

All node keys and leaf keys may be managed in a unified fashion by onemanagement system serving as a key management center, or node keys andleaf keys may be managed on a group-by-group basis by message datadistribution means such as providers or settlement institutions thattransmit and receive data to and from the respective groups. In a casewhere secrecy of a key is broken, node keys and leaf keys are renewed bythe management system serving as the key management center, theproviders, or the settlement institutions.

In the present tree structure, as can be seen from FIG. 4, all threedevices 0, 1, 2, and 3 included in one group have the same device nodekeys (DNKs) K00, K0, and KR. Use of such common node keys makes itpossible to provide, for example, a common content key only to thedevices 0, 1, 2, and 3. For example, if the node key K00 are held by alldevices 0, 1, 2, and 3. If a new key Knew is encrypted using the nodekey K00 and a value Enc(K00, Knew) obtained as a result of encryption isdistributed to the devices 0, 1, 2, and 3 via a network or a storagemedium, then only the devices 0, 1, 2, and 3 can acquire the new keyKnew by decrypting the encrypted value Enc(K00, Kcon) using the node keyK00 that are held in common by these devices. Herein, Enc(Ka, Kb)denotes data obtained by encrypting Kb using Ka.

At a some point of time t, if it turns out that keys K0011, K001, K00,K0, and KR held by the device 3 have been analyzed by a hacker andsecrecy of the key has been broken, it is needed to isolate the device 3from the system to protect data transmitted or received in the system(group including the devices 0, 1, 2, and 3). For this purpose, it isneeded to change the node keys K001, K00, K0, and KR to new keysK(t)001, K(t)00, K(t)0, and K(t)R and transmit the new keys to thedevices 0, 1, and 2. Herein, K(t)aaa denotes a renewed key of generationof t obtained by renewing a key Kaaa.

Distribution of renewed keys is described below. Renewal of keys isachieved by supplying a table representing block data called an enablingkey block (EKB) such as that shown in FIG. 5(A) to the devices 0, 1, and2 via a network or a storage medium. The enabling key block (EKB)includes encrypted keys used to provide renewed keys to the devicescorresponding to leaves in the tree structure shown in FIG. 4. Theenabling key block (EKB) is also called a key renewal block (KRB).

The enabling key block (EKB) shown in FIG. 5(A) includes block data thatcan be used for renewal of keys only by devices that need renewal ofnode keys. In the specific example shown in FIG. 5, the block data isproduced for the purpose of distributing renewed node keys of generationof t to the devices 0, 1, and 2 in the tree structure shown in FIG. 4.As can be seen from FIG. 4, the devices 0 and 1 need K(t)00, K(t)0, andK(t)R as renewed node keys, and the device 2 needs K(t)001, K(t)00,K(t)0, and K(t)R as renewed node keys.

As can be seen from FIG. 5(A), the EKB includes a plurality of encryptedkeys. An encrypted key Enc(K0010, K(t)001) described at the bottom isproduced by encrypting renewed node key K(t)001 by the leaf key K0010held by the device 2, and thus the device 2 can acquire the renewed nodekey K(t)001 by decrypting Enc(K0010, K(t)001) using the leaf key of thedevice 2. Using this renewed node key K(t)001 obtained via decryption,an encrypted key Enc(K(t)001, K(t)00) in the second level as countedfrom the bottom in FIG. 5(A) can be decrypted into the renewed node keyK(t)00. Similarly, an encrypted key Enc(K((t)00, K(t)0) in the secondlevel as counted from the top in FIG. 5(A) can be decrypted into therenewed node key K(t)0, and an encrypted key Enc(K(t)0, K(t)R) at thetop in FIG. 5(A) can be decrypted into K(t)R. On the other hand, for thedevices K0000 and K0001, the node key K000 is not needed to renew, andthus only renewed keys K(t)00, K(t)0, and K(t)R are needed for thedevices K0000 and K0001. The devices K0000 and K0001 acquire K(t)00 bydecrypting an encrypted key Enc(K000, K(t)00) at the third level ascounted from the top in FIG. 5(A), and acquire the renewed node keyK(t)0 by decrypting the encrypted key Enc(K(t)00, K(t)0) at the secondlevel as counted from the top in FIG. 5(A). Furthermore, K(t)R isacquired by decrypting the encrypted key Enc(K(t)0, K(t)R) at the top inFIG. 5(A). In this way, the devices 0, 1, and 2 can acquire the renewedkey K(t)R. In FIG. 5(A), indices indicate the absolute addresses of thenode keys and leaf keys used as decryption keys.

In a case where the node keys K(t)0 and K(t)R in high levels of the treestructure shown in FIG. 4 are not need to be renewed, but only the nodekey K00 is needed to renew, the enabling key block (EKB) may be formedsuch as shown in FIG. 5(B) whereby the renewed node key K(t)00 can bedistributed to the devices 0, 1, and 2.

The EKB shown in FIG. 5(B) may be used to distribute a new content keyto be used in common by a particular group. For example, let us assumethat the devices 0, 1, 2, and 3 in the group enclosed by the dotted linein FIG. 4 use a particular type of storage media and that a new commoncontent key K(t)con is needed. In this case, the renewed content keyK(t)con for use in common is encrypted using K(t)00 obtained by renewingthe node key K00 used in common by the devices 0, 1, 2, and 3, andresultant encrypted data Enc(K(t)00, K(t)con) is distributed togetherwith the EKB shown in FIG. 5(B). This method of distribution allows datato be distributed such that the distributed data cannot be decrypted bythe other devices such as a device 4.

That is, the devices 0, 1, and 2 can acquire the content key K(t)conthat is valid at the point of time t by decrypting the encrypted datadescribed above using K(t)00 that can be obtained by processing the EKB.

FIG. 6 illustrates a specific example of a process of extracting acontent key K(t)con, as of the time t, used to encrypt/decrypt acontent, from an EKB. Herein, it is assumed that the EKB includesEnc(K(t)00, K(t)con) obtained by encrypting the content key K(t)conusing K(t)00 and also includes data shown in FIG. 5(B). In the followingdiscussion, by way of example, the process performed by the device 0 isdescribed.

As shown in FIG. 6, the device 0 produces the node key K(t)00 byprocessing the EKB of the generation of t stored on the storage medium,by using the node key K000, which is already held by the device 0, in asimilar manner as described above. Thereafter, the renewed content keyK(t)con is acquired by decrypting the encrypted data Enc(K(t)00,K(t)con) using the renewed node key K(t)00. Furthermore, the renewedcontent key K(t)con may be encrypted using the leaf key K0000 held onlyby the device 0 so that the content key K(t)con can be used at any timethereafter.

In some cases, renewing of node keys in the form of tree structure isnot necessary, but it is needed to provide only a content key K(t)convalid as of the time of t to particular devices. This can beaccomplished as follows.

To send the content key K(t)con only to devices 0, 1, and 2 as in theexample shown in FIG. 6, the EKB is set as follows. Version: t IndexEncrypted Key 000 Enc(K000, K(t)con) 0010 Enc(K0010, K(t)con)

The devices 0 and 1 can acquire the content key by decrypting one ofencrypted code included in the EKB based on K000, and the device 2 canacquire the content key by decrypting one of encrypted code included inthe EKB based on K0010. The method described above makes it possible toprovide a content key to particular devices in a more sufficient manner(that is, the enabling key block (EKB) includes a less number ofencrypted codes and thus has a smaller data size, and the enabling keyblock (EKB) can be encrypted by the center authority (CA) and can bedecrypted by devices by a less number of processing steps), althoughrenewing of node keys is impossible.

FIG. 7 shows an example of a format of an enabling key block (EKB). Aversion 201 is an identifier indicating the version of the enabling keyblock (EKB). The version serves not only to identify the newest EKB butalso to indicate the correspondence with contents. The depth indicatesthe number of layers of a hierarchical tree of devices to which theenabling key block (EKB) is distributed. A data pointer 203 points to alocation of data field in the enabling key block (EKB). A tag pointer204 points to a location of a tag field, and a signature pointer 205points to a location of a signature.

The data field 206 is used to store encrypted data such as a renewednode key. For example, data of encrypted keys associated with a renewednode key, such as that shown in FIG. 5, is stored in the data field.

The tag field 207 is used to store tags indicating the locations of theencrypted node keys and leaf key stored in the data field. The rule ofdetermining the tags is described below with reference to FIG. 8. In aspecific example shown in FIG. 8, the enabling key block (EKB) describedabove with reference to FIG. 5(A) is transmitted as the data. A table(b) in FIG. 8 shows the data that is transmitted in this specificexample. Herein, the address of a top node in encrypted keys is referredto as a top node address. In this specific case, because a renewed rootkey K(t)R is included in the encrypted keys, the top node address isgiven as KR. Data Enc(K(t)0, K(t)R) at the top corresponds to a locationof a hierarchical tree shown in (a) of FIG. 8. The location in thehierarchical tree for next data Enc(K(t)00, K(t)0) is lower left to thelocation of the previous data. When there is data, a tag is set to 0,while the tag is set to 1 when there is no data. The tag is representedin the form of {L-tag, R-tag}, wherein L-tag denotes a left tag andR-tag denotes a right tag. In the case of the data Enc(K(t)0, K(t)R) inthe top row, there is data to the left thereof, and thus the L-tag isset to 0, while the R-tag is set to 1 because there is no data to theright thereof. Tags are set for all data in a similar manner. As aresult, a sequence of data and a sequence of tags are produced as shownin FIG. 8(c).

The tags indicate the locations of data Enc(Kxxx, Kyyy) in the treestructure. Key data Enc(Kxxx, Kyyy) stored in a data field is a simplesequence of encrypted keys, and thus the tags are used to indicate thelocations, in the tree, of encrypted keys stored in the data field.Instead of using the tags, the locations in the tree may be representedby adding node indexes to the corresponding encrypted data, as describedearlier with reference to FIG. 5. More specifically, the node indexesmay be added as follows.

0: Enc(K(t)0, K(t)root)

00: Enc(K(t)00, K(t)0)

000: Enc(K((t)000, K(T)00)

However, use of the indexes results in redundancy in the data, and thusa greater data size is needed to describe the data, which is undesirablein transmission via a network. In contrast, if tags are used as indexdata indicating the locations of keys, the locations of keys can beindicated by data with a smaller data size.

Referring back to FIG. 7, the format of EKB is described further. Asignature 208 is a digital signature written by a management systemhaving a key management center, a content server, a license server, or ashop server, which issues an enabling key block (EKB). When a devicereceives an EKB, the device verifies the signature to determine whetherthe received enabling key block (EKB) is a correct one issued by anauthorized enabling key block (EKB) issuer.

Now, an explanation is given as to a manner in which devices arecategorized using a hierarchical tree structure defining node keysthereby making it possible to efficiently renew keys, provide encryptedkeys, and transmit data.

FIG. 9 shows an example of categorization using a hierarchical treestructure. In this example shown in FIG. 9, a root key Kroot 301 isassigned to the top of the hierarchical tree structure, node keys 302are assigned in middle levels, and leaf keys 303 are assigned at thebottom. Each device has a set of keys including a leaf key of the deviceitself, the root key, and node keys existing in the path from the leafkey to the root key.

By way of example, it is assumed herein that nodes in an M-th level ascounted from the top are defined as category nodes 304. That is, nodesin the M-th level are employed to define specific categories of devices.One node at the M-th level is employed as a top node, and nodes andleaves that exist at the (M+1)th level and lower levels in pathsoriginating from that top node are defined to be included in thecategory assigned to the top node.

For example, one node 305 in the M-th level in FIG. 9 is employed todefine a category A, and nodes and leaves existing in paths originatingfrom this node are defined to correspond to various devices belonging tothe category of A. That is, a set of nodes including the node 305 andassociated lower-level nodes and leaves is defined to belong to thecategory A.

Furthermore, a sub-category node 306 may be set at a level a propernumber of levels below the M-th level. For example, as shown in FIG. 9,a node of a sub-category Aa belonging to the category A may be set at alevel two levels below the category node 305 assigned to the category A,and the node of the sub-category Aa may be assigned as a node of“playback-only apparatus”. Similarly, a node 307 below the node 306 ofthe sub-category Aa assigned for the playback-only apparatus may beemployed for a sub-category of “telephones having a music playbackcapability” belonging to the category of playback-only apparatus. At afurther lower level, a sub-category node 308 of “PHS” and a sub-categorynode 309 of “portable telephone” may be defined such that bothsub-categories belong to the category of telephone having music playbackcapability.

Categories and subcategories can be defined according to not only thetypes of devices but also manufacturers, content providers, orsettlement institutions, and those nodes may be respectively managed bythem. That is, categories and subcategories may be defined so as to havearbitrary scopes in accordance with, for example, processing, managementorganizations, or services provided. For example, if one category nodeis set as a top node for dedicated use for a game machine XYZ providedby a game machine manufacturer, it becomes possible to sell gamemachines XYZ in which node keys and leaf keys below the top node arestored. After selling the game machines XYZ, encrypted contents or keysmay be supplied or keys may be renewed by supplying an enabling keyblock (EKB) including the top node key and node keys and leaf keys belowthe top node so that only devices below the top node can use thesupplied data.

When a node managed by a content provider is employed as a categorynode, it is possible to assign nodes below that category node to devicesthat use information storage media such as a CD, an MD, or a DVD onwhich contents provided by the content provider are stored or that usecontents provided via a network by the content provider, so that eachdevice assigned a particular node can use node keys and a leaf key atlevels below the assigned node.

As described above, when one node is given as a top node, lower-levelnodes arising from the top node are defined as belonging to a categoryor a sub-category assigned to that top node, thereby making it possiblefor a manufacturer or a content provider that manages one top node ofone category or sub-category to produce an enabling key block (EKB)including that top node without having to taking into account the othercategories or sub-categories and distribute the resultant enabling keyblock (EKB) to devices corresponding to the top node or the lower-levelnodes arising from the top nodes, and thus making it possible to renew akey without exerting any influence on devices belonging to the othercategories that do not belong to that top node.

Keys are managed in the form of a tree structure, for example, as shownin FIG. 10. In this example shown in FIG. 10, nodes at 8+24+32 levelsare defined in a tree structure and categories are assigned to the rootnode and respective nodes at 8 levels below the root node. Herein, thecategories may be a category of devices that use a semiconductor memorysuch as a flash memory, or a category of devices that receive digitalbroadcast. One of these category nodes is assigned to a system thatmanages licenses (hereinafter referred to as a T system).

Keys corresponding to nodes at 24 levels located below the node of the Tsystem are used by management entities or service providers such as shopservers or license servers or used for services provided by serviceproviders. In this specific case, it is possible to define 2²⁴ (about 16mega) service providers or services at these nodes. At further lower 32levels, it is possible to define 2³² (about 4 giga) users (or userdevices). Keys corresponding to respective nodes located on paths fromeach node at the bottom of the lowest 32 levels to the node of the Tsystem are DNKs (Device Node Keys), and leaf IDs are defined at thebottom level.

For example, a content key by which a content has been encrypted isencrypted using a renewed root key KR′, a renewed node key at a higherlevel is encrypted using a renewed node key at an immediately lowerlevel, and these encrypted content key and encrypted renewed node keysare disposed in an EKB. A renewed node key at a level immediately abovethe bottom of the EKB is encrypted using a node key or a leaf key at thebottom of the EKB and disposed in the EKB.

In a user device, using one of DNKs described in service data, therenewed node key at the level immediately above the DNK, described inthe EKB distributed together with content data, is decrypted. Using thekey obtained as a result of decryption, the renewed node key at thefurther higher level described in the EKB is decrypted. By performingdecryption successively in a similar manner, the user device can acquirethe renewed root key KR′.

As described above, in the categorization using the tree structure, acategory can be defined at a top node, and nodes at levels below thattop node can be used as nodes associated with that category orsub-categories thereof. Each manufacturer or service provider thatmanages one of top nodes at a category level or a sub-category levelproduces an enabling key block (EKB) whose top node is the node managedby the manufacturer or the service provider, and distributes the EKB todevices corresponding to nodes at levels below the top node.

[3. Process Performed by Information Processing Apparatus]

Now, a content using process performed by an information processingapparatus such as a playback apparatus to play back a content stored onan information storage medium is described below.

FIG. 11 is a block diagram showing a structure of an informationprocessing apparatus 500 according to an embodiment of the presentinvention. The information processing apparatus 500 includes aninput/output I/F (Interface) 520, a codec 530 that encodes and decodesdata according to, for example, the MPEG (Moving Picture Experts Group)standard, an input/output I/F (Interface) 540 including A/D and D/Aconverters 541, encryption processing means 550, a ROM (Read OnlyMemory) 560, a CPU (Central Processing Unit) 570, a memory 580, and astorage medium interface (I/F) 590 for interfacing with a storage medium595. These parts are connected to each other via a bus 510.

The input/output I/F 520 receives a digital signal supplied from theoutside via a network or the like and outputs the received digitalsignal over the bus 510. The input/output I/F 520 also receives adigital signal supplied via the bus 510 and outputs the received digitalsignal to the outside. The codec 530 decodes MPEG-coded data suppliedvia bus 510 and outputs the resultant data to the input/output I/F 540.The codec 530 also encodes a digital signal supplied from theinput/output I/F 540 and outputs the resultant encoded digital signalover the bus 510. The input/output I/F 540 includes the A/D and D/Aconverters 541. When the input/output I/F 540 receives an analog signalsupplied from the outside, the input/output I/F 540 converts thereceived analog signal into a digital signal using the A/D and D/Aconverters 541 and outputs the resultant digital signal to the codec530. On the other hand, when the input/output I/F 540 receives a digitalsignal from the codec 530, the input/output I/F 540 converts thereceived digital signal into an analog signal using the A/D and D/Aconverters 541 and outputs the resultant analog signal to the outside.

The encryption processing means 550 is implemented, for example, in theform of a one-chip LSI (Large Scale Integrated Circuit) and serves toencrypt or decrypt a digital signal such as a digital content datasupplied via the bus 510 and outputs the resultant signal over the bus510. The encryption processing means 550 does not necessarily need to beimplemented on a one-chip LSI but may be implemented using software or acombination of software and hardware.

The ROM 560 stores a leaf key that is a device key uniquely assigned tothe information processing apparatus or to a group of informationprocessing apparatuses and also stores node keys that are common devicekeys assigned to a plurality of information processing apparatuses or toa plurality of groups. The CPU 570 controls the codec 530 and theencryption processing means 550 by executing a program stored in thememory 580.

The memory 580 reads a disk ID revocation list (DIRL) from a disk andstores it. The disk ID revocation list (DIRL) is securely stored in thememory. That is, it is desirable that the disk ID revocation list (DIRL)be encrypted based on an ID assigned to the information processingapparatus 500 and the resultant encrypted disk ID revocation list (DIRL)be stored in the memory so that the disk ID revocation list (DIRL)cannot be easily tampered. That is, the disk ID revocation list (DIRL)is stored in a form that prevents it from being deleted, tampered, orreplaced with an old version of the disk ID revocation list (DIRL).

The memory 580 includes a storage area used to store a program executedby the CPU 570 and a storage area used to store data necessary in theprocess performed by the CPU 570. The storage medium interface 590 reads(plays back) digital data from the storage medium 595 by driving thestorage medium 595 capable of writing and reading digital data, andoutputs the read digital data over the but 510. The storage mediuminterface 590 also receives digital data via the bus 510 and suppliesthe received digital data to the storage medium 595 to store it thereon.

The storage medium 595 is a medium capable of storing digital data.Specific examples of the storage medium 595 include an optical disk suchas a DVD, a CD or an MD, a magentooptical disk, a magnetic disk, amagnetic tape, and a semiconductor memory such as a RAM. Herein, it isassumed that the storage medium 595 is removably connected to thestorage medium interface 590, although the storage medium 595 may befixedly disposed inside the information processing apparatus 500.

With reference to flow charts shown in FIGS. 12 to 14, an explanation isgiven as to a process performed by the information processing apparatus500 to use a content stored on the information storage medium.

FIG. 12 shows a pre-process performed when the information storagemedium described earlier with reference to FIG. 1 is set on theinformation processing apparatus, before a content playback process isstarted.

In step S101, the information processing apparatus reads the disk IDrevocation list (DIRL) stored on the information storage medium, andchecks whether the disk ID revocation list (DIRL) is valid, that is,whether it is in an untamperred state. As described above, when adigital signature using a public key encryption technique is used as atampering check value for the disk ID revocation list (DIRL), thechecking is accomplished using a signature verification key (publickey). On the other hand, in the case in which a message authenticationcode (MAC) is attached as the tampering check value, the MACverification process described above with reference to FIG. 3 isperformed.

If it is determined that the disk ID revocation list (DIRL) has beentampered (that is, if the answer to step S102 is no), the processproceeds to step S106. In step S106, the process is ended withoutperforming the following process, that is, playback process.

If it is determined that the disk ID revocation list (DIRL) is in theuntamperred state (that is, if the answer to step S102 is Yes), theprocess proceeds to step S103. In step S103, the version of the disk IDrevocation list (DIRL) read from the information storage medium iscompared with the version of the disk ID revocation list (DIRL) storedin the memory of the information processing apparatus. If the version ofthe disk ID revocation list (DIRL) read from the information storagemedium is newer than the version of the disk ID revocation list (DIRL)stored in the memory of the information processing apparatus, then, instep S105, the disk ID revocation list (DIRL) stored in the memory ofthe information processing apparatus updated by writing the disk IDrevocation list (DIRL) read from the information storage medium into thememory of the information processing apparatus. This process allows thedisk ID revocation list (DIRL) stored in the memory of the informationprocessing apparatus to be updated whenever a newer version of the diskID revocation list (DIRL) is found.

In a case in which no disk ID revocation list (DIRL) is stored in thememory of the information processing apparatus, if the tampering checkprocess indicates that the disk ID revocation list (DIRL) read from theinformation storage medium is valid, the disk ID revocation list (DIRL)is directly stored into the memory of the information processingapparatuses without performing the comparison in terms of the version.

In the example described above, the disk ID revocation list (DIRL) isstored on the disk, and the disk ID revocation list (DIRL) stored in thememory of the playback apparatus is updated using the disk ID revocationlist (DIRL) stored on the disk. Alternatively, the informationprocessing apparatus may acquire a newest disk ID revocation list (DIRL)from a central authority or a server entrusted by the central authorityvia a telephone line or the Internet, and the disk ID revocation list(DIRL) stored in the memory may be updated according to the acquirednewest disk ID revocation list (DIRL). When the information processingapparatus is produced, a disk ID revocation list (DIRL), which is newestas of that time, may be stored in the memory of the informationprocessing apparatus. Among information processing apparatuses locatedin a home and connected to each other via a network, information aboutthe version of the disk ID revocation list (DIRL) stored in the memoryof each information processing apparatus is provided to each other, andan old version of disk ID revocation list (DIRL) may be replaced with anewer version of disk ID revocation list (DIRL). If the medium used isof a rewritable type, a newest version of disk ID revocation list (DIRL)is written on the medium by a recording apparatus, and a disk IDrevocation list (DIRL) of an apparatus may be updated according to thenewest disk ID revocation list (DIRL) written on the medium of therewritable type when the medium is handled.

Now, referring to FIG. 13, a revocation checking process performed bythe information processing apparatus is described below. This process isperformed following the process shown in FIG. 12. In step S201, theinformation processing apparatus reads information storage medium IDfrom the information storage medium.

In step S202, a check is made as to whether the information storagemedium ID read from the information storage medium is included in therevoked ID list of the disk ID revocation list (DIRL) stored in thememory of the information processing apparatus.

In step S203, if the information storage medium ID read from theinformation storage medium is found in the revoked ID list of the diskID revocation list (DIRL), the process proceeds to step S204. In stepS204, the process is ended without performing the following process,that is, without performing the content playback process.

When the information storage medium ID read from the information storagemedium is included in the revoked ID list, the information storagemedium ID read from the information storage medium is one of informationstorage medium IDs that have been detected by the central authority (CA)from illegally copied information storage media such as CD-R and thathave been described in the revoked ID list. In this case, theinformation storage medium set on the information processing apparatusis one of unauthorized information storage media such as illegallycopied CD-R or the like, and thus the information processing apparatusends the process without allowing the content to be played back fromthis information storage medium.

In the case in which it is determined in step S203 that the informationstorage medium ID read from the information storage medium is notincluded in the revoked ID list of the disk ID revocation list (DIRL),the content playback process is started.

Referring to FIG. 14, the content playback process is described below.In step S301, the information processing apparatus reads encryption keyinformation, i.e., an enabling key block (EKB) from the informationstorage medium. In step S302, the information processing apparatusacquires a content key by decoding the enabling key block (EKB), basedon a device node key (DNK) that has already been supplied, in the formof a hierarchical key structure, to the information processingapparatus, in a similar manner to that described above with reference toFIG. 6.

In step S303, an encrypted content to be played back is read from theinformation storage medium. In step S304, the encrypted content isdecoded using the content key acquired in step S302, and the decryptedcontent is played back. In step S305, it is determined whether the endof the content being played back has been reached. If not, steps S303and S304 are repeated. If the end of the content being played back hasbeen reached, the process is ended.

When the content key is extracted, the extraction may be performed usingnot only the EKB but also other information stored on the disk, such ascontent copy control information. When a disk manufacturer produces adisk, the content key encrypted using a root key may be stored on thedisk, and the information processing apparatus may acquire the contentkey by decrypting this encrypted content key.

On the same information storage medium, the content may be encryptedusing different content keys depending on addresses at which the contentis stored. In this case, the information processing apparatus repeatedlyperforms steps S301 to S304 as many times as needed to read the contentand decode it.

[4. Production, Supply, and Management of Information Storage Medium]

Referring to FIG. 15, production, supply, and management of aninformation storage medium on which a content is stored are describedbelow.

In an example shown in FIG. 15, an information storage mediummanufacturer 603 produces an information storage medium 604, such as aCD, and the produced information storage medium is used on aninformation processing apparatus 605 of a user.

As described earlier with reference to FIG. 1, an encrypted content,encryption key information, an information storage medium (disk) ID, andinformation storage medium (disk) ID revocation list (DIRL) are storedon an information storage medium.

A content provider 602 encrypts the content and provides the resultantencrypted content to the information storage medium manufacturer 603.The content provider 602 also provides, to the information storagemedium manufacturer 603, an enabling key block (EKB) that can beprocessed only by a device node key (DNK) possessed by a device(information processing apparatus) of a particular user. A centralauthority (CA) 601 provides the information storage medium (disk) ID andthe information storage medium (disk) ID revocation list (DIRL) to theinformation storage medium manufacturer 603.

The information storage medium manufacturer 603 produces the informationstorage medium (disk) 604 on which the encrypted content and theenabling key block (EKB) received from the content provider 602 and theinformation storage medium (disk) ID and the information storage medium(disk) ID revocation list (DIRL) received from the central authority(CA) 601 are stored, and the information storage medium manufacturer 603provides the produced storage medium (disk) 604 to a user. If the usersets the information storage medium (disk) 604 on the informationprocessing apparatus 605, the content usage process described above isperformed.

The providing of the device node key (DNK) to the user informationprocessing apparatus may be performed by either the central authority601 or the content provider 602, or otherwise by another serviceprovider, which is not shown in the figure.

With reference to FIG. 16, an example of the construction of aninformation storage medium production apparatus is described below. Theinformation storage medium production apparatus 700 includes aninput/output I/F (Interface) 720, encryption processing means 750, a ROM(Read Only Memory) 760, a CPU (Central Processing Unit) 770, a memory780, and a storage medium interface (I/F) 790 for interfacing with astorage medium 795. These parts are connected to each other via a bus710.

The input/output I/F 720 receives a digital signal supplied from theoutside and outputs the received digital signal over the bus 710. Morespecifically, for example, the input/output I/F 720 receives anencrypted content and an enabling key block (EKB) from a contentprovider, and an information storage medium (disk) ID and an informationstorage medium (disk) ID revocation list (DIRL) from a central authority(CA) via a network. Note that as many information storage medium (disk)IDs as the number of disks to be produced are received from the centralauthority (CA).

The encryption processing means 730 is implemented, for example, in theform of a one-chip LSI (Large Scale Integrated Circuit) and serves toencrypt or decrypt a digital signal such as digital content datasupplied via the bus 710 and outputs the resultant signal over the bus710. In a case in which the content provided by the content provider isin an unencrypted form, the encryption processing means 730 encrypts thecontent. The encryption processing means 750 does not necessarily needto be implemented on a one-chip LSI but may be implemented usingsoftware or a combination of software and hardware.

The memory 740 stores the encrypted content and the enabling key block(EKB) received from the content provider, and the information storagemedium (disk) ID and the information storage medium (disk) ID revocationlist (DIRL) received from the central authority (CA). Note that as manyinformation storage medium (disk) IDs as the number of disks to beproduced are received from the central authority (CA) and stored in thememory 740.

The controller 750 performs control the process of producing theinformation storage medium in accordance with a production program. Thecontroller 750 includes a control unit such as a CPU and a memory inwhich the program is stored. Under the control of the controller 750,data stored in the memory 740 is stored onto the storage medium.

The storage medium 770 is a medium capable of storing digital data.Specific examples of the storage medium 770 include an optical disk suchas a DVD, a CD or an MD, a magentooptical disk, a magnetic disk, amagnetic tape, and a semiconductor memory such as a RAM. Data to bestored is received via the storage medium interface 760 and stored onthe storage medium 770.

Referring to FIG. 17, the disk production process is described below.This process shown in FIG. 17 is performed by the information storagemedium production apparatus of the information storage mediummanufacturer. As described above, the information storage medium has thememory, in which the encrypted content and the enabling key block (EKB)received from the content provider, and the information storage medium(disk) ID and the information storage medium (disk) ID revocation list(DIRL) received from the central authority (CA) are stored. Note that asmany information storage medium (disk) IDs as the number of disks to beproduced are received from the central authority (CA).

In step S401, the information storage medium (disk) ID revocation list(DIRL), received from the central authority (CA) and stored in thememory, is read from the memory. In steps S402 and S403, the enablingkey block (EKB) and the encrypted content received from the contentprovider are read from the memory. In step S404, a master disk isproduced by writing these data on an information storage medium (disk).

In the next step S405, copies of the master disk are produced by astamping process using the master disk. Then in step S406, the disk IDsreceived from the central authority (CA) and stored in the memory aresequentially read from the memory and written on the respective disks.In step S407, if the number of produced disks reaches the number of diskIDs received from the central authority (CA), the production of disks isended.

As described above, the disk manufacturer stores different IDs on therespective produced disks according to the number of disk IDs receivedfrom the central authority (CA).

Thus, the information storage media (disks) distributed in markets havedifferent IDs. Therefore, if a plurality of disks having the same diskIDs are found, they are regarded as unauthorized copies of disks, andthe central authority (CA) updates the information storage medium (disk)ID revocation list (DIRL) such that the detected unauthorized disk IDsare added to the list, and the central authority (CA) supplies theupdated list to the disk manufacturers so that the updated list isstored on disks produced thereafter.

If a user, who purchased a disk having the updated list, sets the diskon the information processing apparatus to play back a content, then, asdescribed earlier, the version of the list is compared with the versionof the information storage medium (disk) ID revocation list (DIRL)stored in the memory of the information processing apparatus, and theupdated list is stored in the memory. Thus, the list stored in thememory of the information processing apparatus of the user is updatedwhen a newer version of the list is found.

The present invention has been described in detail above with referenceto particular embodiments. It should be apparent to those skilled in theart that various modifications and substitutions are possible withoutdeparting from the spirit and the scope of the invention. That is, theembodiments have been described above by way of example but not oflimitation. The scope of the invention is to be determined solely by theclaims.

Any of the processes disclosed in the present description may beperformed by means of hardware, software, or a combination of hardwareand software. In the case in which a process is performed by means ofsoftware, a program of the process may be installed into a memorydisposed in a dedicated computer embedded in hardware and the programmay be executed by the computer, or the program may be installed on ageneral-purpose computer capable of executing various processes and maybe executed on the general-purpose computer.

The program may be stored in advance in a storage medium such as a harddisk or a ROM (Read Only Memory). Alternatively, the program may bestored (recorded) temporarily or permanently on a removable storagemedium such as a floppy disk, a CD-ROM (Compact Disc Read Only Memory),an MO (Magnetooptical) disk, a DVD (Digital Versatile Disc), a magneticdisk, or a semiconductor memory. Such a removable storage medium may beprovided in the form of so-called package software.

Instead of installing the program from the removable storage medium ontothe computer, the program may also be transferred to the computer from adownload site via radio transmission or via a network such as an LAN(Local Area Network) or the Internet by means of wire communication. Inthis case, the computer receives the program transmitted in theabove-described manner and installs the program on a storage medium suchas a hard disk disposed in the computer.

The processes disclosed in the present description may be performedtime-sequentially in the same order as that described in the program, ormay be performed in parallel or individually depending on the processingpower of the computer.

INDUSTRIAL APPLICABILITY

According to the present invention, as described above, an encryptedcontent, encryption key information needed to decode the encryptedcontent, an information storage medium ID which is an identifieruniquely assigned to an information storage medium, and an informationstorage medium ID revocation list, which is a list of informationstorage medium IDs determined as fraudulent, are stored on theinformation storage medium. In an information processing apparatusconfigured to read and play back the content stored on the informationstorage medium, the playback of the content is allowed only when theinformation storage medium ID stored on the information storage mediumis not identical to any of revoked information storage medium IDsdescribed in the information storage medium ID revocation list. Bydescribing information storage medium IDs stored on storage mediadetected as including unauthorized copies of contents in the informationstorage medium ID revocation list, it is possible to prevent a diskhaving an ID identical to any one of IDs described in the list frombeing played back, and thus it is possible to prevent an unauthorizedcopy of a content from being distributed and used.

Furthermore, in the information processing apparatus according to thepresent invention, a tampering check process is performed to checkwhether no tampering is made on the information storage medium IDrevocation list stored on the information storage medium. Only when thecheck indicates that no tampering is made, the version of theinformation storage medium ID revocation list stored on the informationstorage medium is compared with the version of that stored in thememory, and, if the version of the information storage medium IDrevocation list is newer than the version of that stored in the memory,the information storage medium ID revocation list is updated by storingthe information storage medium ID revocation list stored on theinformation storage medium into the memory. This makes it possible tocontrol the content playback operation in accordance with the list thatis updated when a newer version is found.

1. An information storage medium storing: an encrypted content;encryption key information needed in a process of decoding the encryptedcontent; an information storage medium ID which is an identifieruniquely assigned to the information storage medium; and an informationstorage medium ID revocation list which is a list of information storagemedium IDs determined as fraudulent.
 2. An information storage mediumaccording to claim 1, wherein the information storage medium IDrevocation list includes a tampering check value for checking whetherdata described in the information storage medium ID revocation list isuntamperred.
 3. An information storage medium according to claim 1,wherein the encryption key information includes an enabling key block(EKB) as encryption key data from which a key used to decrypt theencrypted content is extractable.
 4. An information storage mediumaccording to claim 3, wherein the enabling key block (EKB) is encryptionkey information that can be decrypted based on a device node key (DNK)provided in the form of a hierarchical key-distribution tree structureto an information processing apparatus that is a device using theinformation storage medium.
 5. An information processing apparatus forplaying back a content stored on an information storage medium,comprising: a memory in which an information storage medium IDrevocation list, which is a list of information storage medium IDsdetermined as fraudulent, is stored, wherein a check is made as towhether an information storage medium ID stored on the informationstorage medium is identical to one of revoked information storage mediumIDs described in the storage medium information ID revocation liststored in the memory, and, if the information storage medium ID storedon the information storage medium is not identical to any one of therevoked information storage medium IDs described in the informationstorage medium ID revocation list, a content playback process isperformed.
 6. An information processing apparatus according to claim 5,wherein a tampering check process is performed to check whether notampering is made on the information storage medium ID revocation liststored on the information storage medium, and, if the check indicatesthat no tampering is made, the version of the information storage mediumID revocation list stored on the information storage medium is comparedwith the version of that stored in the memory, and the informationstorage medium ID revocation list stored in the memory is updated bystoring the information storage medium ID revocation list stored on theinformation storage medium into the memory when the version of theinformation storage medium ID revocation list is newer than the versionof that stored in the memory.
 7. An information processing apparatusaccording to claim 5, wherein: the information processing apparatus hasa device node key (DNK) as key information provided in the form of ahierarchical key-distribution tree structure; and a key used to decryptan encrypted content stored on the information storage medium isextracted by decoding, based on the device node key (DNK), an enablingkey block (EKB) stored as encryption key information on the informationstorage medium.
 8. An information storage medium production apparatusthat produces an information storage medium such that: information isstored on the information storage medium, the information including anencrypted content, encryption key information needed in a process ofdecoding the encrypted content, and an information storage medium IDrevocation list which is a list of information storage medium IDsdetermined as fraudulent, and an information storage medium ID, which isan identifier uniquely assigned to each information storage medium, isstored on each produced information storage medium such that eachinformation storage medium has a different information storage mediumID.
 9. An information storage medium production apparatus according toclaim 8, wherein the information storage medium ID revocation listincludes a tampering check value for checking whether data described inthe information storage medium ID revocation list is untamperred.
 10. Aninformation storage medium production apparatus according to claim 8,wherein the encryption key information includes an enabling key block(EKB) as encryption key data to be applied in the decryption of theencrypted content.
 11. An information processing method of playing backa content stored on an information storage medium, comprising the stepsof: reading information storage medium ID stored on the informationstorage medium; checking whether the information storage medium IDstored on the information storage medium is identical to one of revokedinformation storage medium IDs described in a storage medium informationID revocation list, which is a list of invalid information storagemedium IDs and which is stored in a memory of an information processingapparatus; and playing back the content if and only if the informationstorage medium ID stored on the information storage medium is notidentical to any one of the revoked information storage medium IDsdescribed in the information storage medium ID revocation list.
 12. Aninformation processing method according to claim 11, further comprisingthe step of updating the list, the list updating step including thesub-steps of performing a tampering check process to check whether notampering is made on the information storage medium ID revocation liststored on the information storage medium, if the check indicates that notampering is made, comparing the version of the information storagemedium ID revocation list stored on the information storage medium withthe version of that stored in the memory, and updating the informationstorage medium ID revocation list stored in the memory by storing theinformation storage medium ID revocation list stored on the informationstorage medium into the memory when the version of the informationstorage medium ID revocation list is newer than the version of thatstored in the memory.
 13. An information processing method according toclaim 11, further comprising the step of acquiring a key used to decodean encrypted content stored on the information storage medium bydecoding an enabling key block (EKB) stored as encryption keyinformation on the information storage medium, the decoding of theenabling key block (EKB) being based on a device node key (DNK) providedas key information provided in the form of a hierarchicalkey-distribution tree structure.
 14. A method of producing aninformation storage medium, comprising the step of: storing, on theinformation storage medium, an encrypted content, encryption keyinformation needed in a process of decoding the encrypted content, andan information storage medium ID revocation list which is a list ofinformation storage medium IDs determined as fraudulent; and storing aninformation storage medium ID, which is an identifier uniquely assignedto each information storage medium, on each produced information storagemedium such that each information storage medium has a differentinformation storage medium ID.
 15. A computer program that executes aprocess of playing back a content stored on an information storagemedium, the process comprising the steps of: reading information storagemedium ID stored on the information storage medium; checking whether theinformation storage medium ID stored on the information storage mediumis identical to one of revoked information storage medium IDs describedin a storage medium information ID revocation list, which is a list ofinvalid information storage medium IDs and which is stored in a memoryof an information processing apparatus; and playing back the content ifand only if the information storage medium ID stored on the informationstorage medium is not identical to any one of the revoked informationstorage medium IDs described in the information storage medium IDrevocation list.